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Given a prime "p^ we consider the dynamical system generated by 
^ \ repeated exponentiations modulo p, that is, by the map u i— > fg{u), 

$H ' where fg{u) = (mod p) and ^ fg{u) ^ p — 1. This map is 

in particular used in a number of constructions of cryptographically 
secure pseudorandom generators. We obtain nontrivial upper bounds 
on the number of fixed points and short cycles in the above dynamical 
system. 

1 Introduction 

Given a prime p and an integer g with gcd((y',p) = 1 one can consider the 
dynamical system generated by consecutive exponentiations modulo p where 
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g serves as the base. More precisely, we define the function fg{u) by the 
conditions 

fg{u) = g"^ (mod p) and ^ fg{u) ^ p - 1, 
and for some initial value we consider sequences of consecutive iteration 

Un = fg{Un-l), 72 = 1,2,.... (l) 

Besides of being of intrinsic interest, this map has been used in several 
construction, see |H |9] and references therein. 

Here we study the number of initial values uq G {1, ... ,p — 1} which 
lead to short cycles. More precisely, for an integer k we denote by Ng{k) the 
number ofuo G 1} such that for the sequence ([T]) we have = uq. 

The quantities Ng{l) (that is the number of fixed points) and Ng{2) have 
recently been studied in [21 [5l [6l [71 [H] "on average" over G {1, . . . ,p — 1}. 
However, here we are mostly interested in "individual" results when g is 
fixed. 

We remark that questions of this kind can be reformulated in an equiva- 
lent form as questions about iterations of the discrete logarithm function. 
It is also important to note that generally speaking 

/.(/.H)^^?'" (modp). 

In particular, the results of [8j can be used to estimate the number of solutions 
to 

g^"°=Uo (modp), G {1, . . . ,p - 1}, 

but do not apply to Ng{2) directly. 

2 Preparation 

We repeatedly use the following simple statement: 

Lemma 1. Let u = v mod p and v E {0,1, . . . ,p — 1}, then 
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Proof. Write 



V = u — pw, 



where 



Then 



w 



9=9 



since ^ = 1 (mod p) . 



□ 



3 Fixed Points 

In the case when g is a. primitive root one can easily derive from a much more 
general result of [3], Theorem 1] that Ng(l) = 0(p^/^). 

Here we give a self-contained proof which also applies to any g. 

Theorem 2. For p ^ 11, uniformly over all integer g with gcd{g,p) = 1 we 
have Ng{l) < 

Proof Let 1 ^ xi < . . . < xa? ^ p — 1, where = Ng{l), satisfy 



We consider the differences Xi—Xj, 1 ^ j < i ^ N. Since 1 ^ Xi — Xj ^ p — 2, 
at least one difference, say a, is taken at least 

N{N - 1) 



T > 



2(p-2) 



times. Thus 



[xj + a) = g°'Xj (mod p) 



for at least T values of j = 1, . . . , A^. This immediately implies that T ^ 1 
and the result follows. □ 



4 Cycles of Length Two 

Unfortunately, in the case of cycles of length two and three our method works 
only for small values of g. 
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Theorem 3. For any fixed integer g with gcd{g,p) = 1 we have 

N,{2)^C{g)- ^ 



logp 

where C{g) depends only on g. 

Proof. Let 1 ^ yi, . . .y^ ^ p — 1, where N = Ng{2), satisfy 

fgixi) = yi and fgijji) = x^, i = 1, . . . , iV. 
for some Xj = yj^. 

Let us choose a real positive parameter z < p to be optimized later. 
Clearly, there are at most 

Jo i^p/z + l (2) 

values of z = 1, . . . , with y^+i — y^ ^ z or i = N . 

Now, for every positive a < z we count the number la of i = 1, N — 1 
with — yi = a. For such i, from 

yi = g^^ (mod p) and = g^^~^^ (mod p) 

we derive 

gXi+i ^ ^ {mod p). (3) 

Furthermore, since both Xj and Xj+i generate cycles of length two, we 
have 

(7^' = Xi (mod p) and (7^'+^ = Xj+i (mod p) 
which yields 

Xig" = 5f^*+" = gy'+^ = Xi+i (mod p). 
Thus, by Lemma [1] 

where 

' Xig° 



k = 

Combining ([3]) and (jl]) we obtain 



yi + a = g ^yf (mod p). 

Clearly, for every a and fc, this is a nontrivial polynomial equation of degree 
at most g^ (to see this it is enough to compare the polynomials Y + a and 
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g^Y^" at y = 0). Hence for every k there are at most g"" possible values of 
yi. Because k takes at most g"" possible values, we obtain 



2a 



a < Z. 



(5) 



Therefore, we see from (121) and (15]) that 



Ng{2) ^ 2/o + 2 ^ 4 ^ 2p/z + 2 + 2 ^ _^ < 2p/z + 2 + 2g 

a<z ^ 



2z 



Taking 



we conclude the proof. 



logp 
3 log 5- 



□ 



5 Cycles of Length Three 

Here we use Z„ = {0, 1, . . . , n — 1} to denote the residue ring modulo n. We 
also use Fp = Zp to denote the finite field of p elements. 

It is convenient to denote by a ©„ 6 the sum of integers a and b modulo 
n; so, a Q)n b = a + b (mod n) and > a Q)nb > n — 1. 

We start with the following simple statement: 

Lemma 4. Let g,y E {1, . . . ,p — 1} . If 



then 



y e 



Proof. We have 



gy + g 
. p . 

2p 

. g 



> 



gy + ^ 
. p 

{g - i)p 
g 



,p-i 



gy + g 




gy + ^ 


+i=k+i 


. p . 




. p . 





for some positive integer 



k ^ 



g{p-l) + l 
p 



< g- 
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In particular 

p 

thus 

y < < < 1/ + 1 

9 9 

which gives the desired result. □ 

We also need the following combinatorial result, that could be of inde- 
pendent interest: 

Lemma 5. Consider two arbitrary sets Ai,S C Z„ and also define C = 
{x E Ai I a;©„lGA^}. Suppose, there exists a map : C \ 5 ^ Z„ \ A^, 
such that the cardinality of the preimage (y9~^(a) of a satisfies ^ip~^{a) < k 
for any a E l^n- Then 



k+2 k+2 

Proof. We split A4 = Xi U ■ ■ ■ U into r intervals of the form 

Tj = {xj, a;^ ©„ 1 . . . Xj ©„ {hj — 1)} C M, and xj ®nhj ^ M,. 

where j = 1, . . . , r. Thus between Ij and there is an element in Z„ \ M. 
This implies the inequalities 

^C^#M-r (6) 

and 

n > i^M + r. (7) 
On the other hand, since (y9~^(Z„ \ Ai) = C\S we derive 



k 



So, recalling ([6]) and one has 



n>#M+*'-*'^ >#M-,*-^-r*' >*M^'*-^-r*' 

k k k 

that implies the desired inequality. □ 
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Theorem 6. Let p be a prime. Then Ng{3) < |p + 2-^-^ts±i. 

Proof. All periodic points of fg belongs to the multiplicative subgroup gen- 
erated by g. So, the bound holds if g is not a primitive root modulo p. In 
what follows we assume that g is a. primitive root modulo p and as usual, for 
an integer u with gcd{u,p) = 1 we define ind^w as the unique nonnegative 
integer v ^ p — 2 with g'" = u (mod p). 

Let As be the set of m G {1, . . . ,p — 1} which generate a cycle of length 
three. 

We consider 

xi G ATg \ {p - 1, ind,(p - 1), ind, ( [p/g\ ),..., ind,( L(^? - l)p/9\)} (8) 
and put 

yi = fgiXi), Zi = fg{Xl), Xi = fgizi). 

Suppose also that for X2 = xi ©p 1 we also have X2 G A/3, that is, 

2/2 = fg{X2), Z2 = fg{y2), X2 = /g(^2)- 

We have 

y2 = yi9 (modp). 

By Lemma [H we have 

Z2 = g^^ = g9y^-^9yiM = zfg-^^y'M (^od p). 
Then Zi satisfies the following congruence: 

x, + l = x2 = g'' = H/H (mod p), (9) 

where u = g^^9yi/p\ (mod p), ^ u ^ p — 1. 

Finally, suppose, that ^3 = mdg{yi + 1) and X4 = x^ Q)p 1 both satisfy 
0:3, X4 G As- We put 

ys = fgixs), Z3 = fgiys), X3 = fgizs) 

and 

y4 = fg{x4), Z4 = fg{y4,), X4 = fg{z4). 

In particular, 

Z3 = gzi (mod p) (10) 
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and 

2/4 = gys = gyi + g (mod p). 

Using fllUp and Lemma [T], we have 

Similarly, by (ITT!) and Lemma [H we have 



Z4 = gy^ = vg^y'+3 (mod p) 



with some integer 



v = g 



-L9{j/i+i)/pJ 



(mod p) and ^ v ^ p — 1. 



Thus 



^4 = g^vzf (mod 

and by Lemma [H we derive 

X4 = = ^9^-?- k-?/pJ (mod p) 

Since X4 = X3 + 1, we derive from (fT2l) and (fT3l) that 
Since the condition ([8]), we see that u = v. Therefore 
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[12) 



(13) 



^«4-[«4/pjy'^g9[n2;9/pJ-[g9«4/pJ ^^^^^^ 



Recalling (IT^ and using xi = (^^^ (mod ), we see that the last congruence 
is equivalent to 

x9g-l9-lM + 1 ^ (a;^ + if g9'[uzf/p\-[g^uzf/p\ ^^^^ 



Now, 



. P 



and 



g^uzf 


-g' 


g 

uzi 


. P . 




. P . 



G{0,1,...,^7-1} 

G{0,---^7^-l}. 
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So, Xi satisfies one of g^^^ possible nontrivial polynomial congruences of 
degree g^. Let X denote the set of all such Xi. We now consider the set 



•5 = A" y - 1, mdg{p - 1), indg 
of cardinality 



ind. 



2p 
9 . 



indn 



{9 - 1)P 



Then for every x ^ if 

x,x®pl,fg{x) ©pi eTVs 

then 

We put Ai = As and define the set C as in Lemma [51 We now construct 
function if : C \ S ^ ¥p \ Ai by the following rule: 



if{x) 



fg{x) ©p 1 



if fg{x) ®pl^M, 



fgifgifgix)(Bpl))(Bpl if 



1 G M. 



Since both functions used in the definition of ip are invertible functions, we 
have |v5~^(a)| < 2 and thus we can apply Lemma with k = 2, which 
concludes the proof. □ 



6 Open Questions 

We have no doubts that our estimates are very far from the true behaviour 
of Ng{l), Ng{2) and iVg(3). Yes, they seem to be the only known results. 
Unfortunately, our approach does not work for Ng{k) with k ^ 4 and finding 
an alternative way to estimate, say Ng{A) is an important open question. 

One can also consider analogues of our results for elliptic curves. Namely, 
let S be an elliptic curve over ¥p given by an affine WeierstraB equation: 

£ : =X^ + aX + b. 

It is well-known that S has a structure of a finite abelian group under an 
appropriate composition rule, with the point at infinity O as the neutral 
element, see [10]. 
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Furthermore, given an Fp-rational point P E £ we denote by x{P) its 
x-coordinate. Using the groups structure of points on S, for a point G & S, 
we define the function Fa{u) by the conditions 

Fg{u) = x{uG) (mod N) and ^ fg{u) ^ N - 1, 

where N is the number of Fp-rational points on S. 

We beheve that the approach of this paper can also be used to study fixed 
points and cycles of length two and there, associated with this map. However 
the details can be more involved than in the case of modular exponentiation. 
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